352-301-3016 [email protected]

SELF-AUDIT FOR HIPAA COMPLIANCE

by | Apr 11, 2017 | General

SELF-AUDIT FOR HIPAA COMPLIANCE COMING TO OCALA FLORIDA – IS YOUR PRACTICE READY?

Physician practices are frequently advised to know the requirements for obtaining reimbursement from a payor for services rendered and to have necessary documentation in place to withstand an audit. But do you know the same holds true to withstand a HIPAA audit of your practice conducted by the U.S. Office for Civil Rights? In other words, every physician practice should know the minimum requirements of the HIPAA Privacy, Security and Data Breach Notification rules and be prepared to prove compliance should OCR come calling. OCR’s audit protocol is extremely comprehensive but, as a starting point, you should make sure you have forms, policies and procedures in place to implement the following:

  • Privacy Rule requirements:
    • Notice of Privacy Practices
      • Revised Notice required as of September 23, 2013
    • Patient rights to request restrictions on disclosure of PHI
      • Certain restriction requests must be granted
    • Patient rights to access their PHI
      • Special rules apply for EHR
    • Uses and disclosures of PHI
      • Special authorizations apply for certain disclosures
    • Accounting of disclosures
      • Accountings differ when an EHR is involved
    • Amendment of PHI
      • Protocol required for responding to patient requests to amend
    • Business Associate Agreements
      • Revised agreements to reflect new definitions and subcontractors
    • Training of personnel, including physicians
      • Documented training must occur upon hire and at least annually
  • Security Rule requirements:
    • Administrative safeguards
      • Mandatory security risk assessment
      • Workforce security and training
      • Contingency plan
      • Security awareness and training
    • Physical safeguards
      • Facility access control
      • Workstation use and security
      • Device and media controls
    • Technical safeguards
      • Access control
      • Transmission security
        • Encryption analysis
        • Secure patient portals
  • Breach Notification Rule requirements:
    • Protocol for responding to a security incident
      • Data Breach Notification Policy and Procedures required
      • State laws must be addressed
    • Risk assessment to determine whether a breach has occurred
      • New factors must be applied
    • Steps to take when a breach has occurred
      • Documentation of the investigation must be maintained
    • Notification of affected individuals, HHS and the media
      • Timeframes must be met

If you are missing any of the above in your HIPAA Compliance Program, your practice will be at risk. To make matters worse, the HITECH Act increased the penalties for non-compliance. For assistance, contact Evan Meyerberg at www.greatchoice.com or by calling 877-290-0489